Hi,
I upgrade in 7.3.3 and i have a problem with one fieldalias
I know the ASNEW settings since 7.2.4 restore old behaviour but not working when field create by OPEARTOR LOOKUP (not FIELDALIAS)
**Example:**
a) After extraction in transforms.conf my event is:
... sourcetype=sourcetype_test, vendor_action=test, Dest_ip=X.X.X.X
b) In default/props.conf, "action" is call one time:
[sourcetype_test]
LOOKUP-risk_vendor_action_to_action = test_action_lookup vendor_action OUTPUT action
c) In my local/props.conf, i create 2 alias:
[sourcetype_test]
FIELDALIAS-risk_action = vendor_action ASNEW action
FIELDALIAS-risk_dest = Dest_ip ASNEW dest
d) RESULT:
... sourcetype=sourcetype_test, vendor_action=test, Dest_ip=X.X.X.X, dest=X.X.X.X
=> no field "action" but create field "dest"
When i comment LOOKUP line in defaut/props.conf
=> It works!
**Problem:**
I don't have to modify default/props.conf (best practice) then how can we disable this in my local/props.conf
Kind Regards
↧